Analysis
Are you one cyber breach away from insolvency?
SPONSORED: Individual patient records can be sold for up to $1000 each on the dark web, making general practices an attractive target for criminals.
Cyber breaches in the health sector are on the rise and practices should expect cyber-attacks to increase in volume and complexity.
This is why:
- Many practices have low levels of cyber security
- Many practices confuse data loss with data theft (e.g. backing-up your data does not protect you from data theft)
- Practices possess large volumes of personal information of high monetary value on the Dark Web (criminal interest)
- The health sector has valuable intellectual property
- Practices provide a gateway to our critical hospital infrastructure (foreign government interest)
According to Australian Cyber Security Centre (ACSC)
reporting, the Healthcare and Social Assistance sector has the third-highest rate of cyber security incidents behind the Commonwealth and State Governments.
Cyber security incidents to which the ACSC responded in 2021–22.
GPs and practice staff who use our
RACPG CPD cyber training are often surprised to learn the value of patient medical records, which can be sold for up to $1000 each on the black market.
Consider what your business is worth to a criminal. Per minute of effort with bulk attack, the return on investment is high. And what about the insider threat?
Cyber-crime pays well, and disgruntled employees can now be dangerous. The health sector has the highest rate of insider incidents when compared to other Australian industry sectors.
Cyber-attack and active threats to information security have fundamentally changed the business world.
Generally, we have observed that managed IT service providers are not equipped to understand and manage the information security of their clients. There is a need for greater security governance literacy in health businesses.
For example, 100% of our health sector clients who previously used a managed IT service provider either did not have multi factor/second factor authentication in their systems, or they shared the general business account and password between numerous people at the front desk, and in most cases both. Some had the password on a post-it note stuck to the monitor.
These are symptoms of serious gaps in information security that expose practices and their directors – not to mention patients – to serious consequences.
If your practice doesn’t have a Privacy Statement, you are currently in breach of the law. Does your IT person have this in hand?
What about the rest of your processes, responses, and training of your staff? Information security is not just a technical problem – people are your primary vulnerability.
Source: OAIC Notifiable Data Breaches Report: July to December 2022
The above
chart identifies only those breaches that have been identified and notified. Consider the part of the iceberg we can’t yet see.
So, what could be the cost of a data breach where you lose patient information? This is the potential exposure of your practice:
- ACSC data suggests the average cost to deal with an incident is around $88,000. In our experience, it is much more, with some clients spending this amount just on legal advice and support
- Litigation from patients due to their loss and damages
- Loss of revenue due to business interruption and reputational damage
- Fines and penalties for directors, businesses, and in some instances employees
Information security is the legal liability of directors.
To securely manage your practice’s information and digital infrastructure, your IT provider must understand your business operations, risks, legal compliance obligations, insurance context, system security configuration, and operational technology.
Patient care now extends to the protection of their personal information. It is time to become actively involved in the information security of your business.
For GPs seeking immediate support, Vescient is actively engaged in the health sector and can provided tailored skills, quality and experience to all kinds of organisations, from small clinics to large enterprises.
This advertorial was commissioned by Vescient and independently reviewed by newsGP.
Log in below to join the conversation.
cyber breach cyber-security patient privacy sponsored content
newsGP weekly poll
Which of the RACGP’s 2024 Health of the Nation advocacy asks do you think is most important?